One wonders what the heck was going on at Daimler, maker of the high quality, classy Mercedes Benz automobile. In case you missed it, media reports depict Daimler as admitting to having engaged in a massive and pervasive bribery scheme, and agreeing to pay $185 million to settle charges. And this wasn’t information the company volunteered, but rather the result of a lengthy government investigation.

And it wasn’t just a one-time event – not by a long shot. Rather, hundreds of bribes totaling tens of millions of dollars were paid in no less than 22 countries over a ten year period. In a number of instances so called “cash desks” were used to pay currency directly to government officials. In other cases the company used foreign bank accounts of shell companies to hide payments. Daimler reportedly also jacked up invoices for cars to generate still other payments.

What’s perhaps most disturbing is that the reports say this wasn’t a lower and middle management activity, but involved “important executives” including heads of overseas sales divisions, and more unsettling, even the company’s internal audit office. The Department of Justice complaint speaks to Daimler’s “longstanding violations” of bribery rules and a “corporate culture that tolerated and/or encouraged bribery.” The reports also says the complaint points to “a lack of central oversight over foreign operations.”

It’s well known the Justice Department in the U.S. is pushing hard on possible Foreign Corrupt Practices Act violations, and European regulators are increasing rule making and enforcement as well. And internal controls to help deal with the risk of improper payments are well known. Of course, if senior managers are turning a blind eye, or worse yet encouraging such payments, then all bets are off. For readers with responsibility for dealing with these kinds of issues, a company’s corporate culture, including the tone at the top of the organization, is the first place you’ll want to focus attention. And then you’ll want to look at the kind of risk management and compliance processes in place, and how they’re working, to hopefully gain comfort in your organization that anti-bribery indeed is under control.

For readers interfacing with your companies’ audit committees, a just released survey from Directorship Boardroom Intelligence highlights what’s in the forefront of committee members’ minds today. The results are reported in a top-ten list (unlike the Letterman top ten lists, this one appears to begin with the most significant):

In the Compliance Week 2010 panel Honest Experience with GRC Tools, Joann Sochor, VP Corporate Compliance at the Bank of Montreal Financial Group, spoke about their experience with OpenPages. See http://bit.ly/bMjFbl for slides that describe scope of implementation–40 different data marts, over 5K controls consolidated onto a single technology platform.

US Rep and House Financial Services Committee Chair Barney Frank gave the opening keynote at Compliance Week 2010, day 2. As usual, he was witty and insightful. His remarks covered the conceptual underpinnings of financial services regulatory reform. He then took questions from the group.

He started out by saying that we needed to move quickly to provide stability to the financial system. Healthcare created a delay, but they are now on track.

To those who are cynical about government and think that “big money” runs politics, he said that the bills are the “defining counter example” of a bill that passed despite big money lobbying.

He noted that once the House passed their bill there was an assumption that the Senate would pass a watered down version, but the opposite happened–because the public was paying attention, it forced the Senate to pass a strong bill, the implication being that we should all be more vigilant about the process on Capitol Hill.

Bill should be passed before July 4, which is important for stability.

The outlines of the bill was described by Paulson in March of 2008 when he described the need for a way to dissolve non-bank financial institutions. As Frank put it, Palin’s “Death Panels” were discussed in the context of the wrong bill!

This bill will require that all financial services institutions will have to report their financial transactions to some regulator. If an entity becomes problematic, then the regulator can take action. The regulators will also have a mechanism to require enough capital for these entities to stay solvent. Although, as has been commented on the Baseline Scenario at http://bit.ly/bDddch, the amount of capital that would be required has not been defined, potentially to allow for alignment with rules in other countries.

Frank said that the real “problem was non-regulation”, pointing out that we did not have rules for credit default swaps, for instance. During the Q&A period, he used derivatives as another example of non-regulation. He said that under the bills, derivative transactions will have to be reported.

Matt Kelly, Compliance Week Editor, asked a question about international coordination. Frank pointed out that “nothing in the world is more mobile than capital” and that we should not legislate unilaterally without coordination with other countries.

Companies with market caps less than $70 million will likely be excepted from 404.

Addressing the concern of “unintended consequences,” Frank said that it was not an unintended consequence that companies may not be able to make as much money trading derivatives, as his vision for the financial services sector is that it exists to enable investment activity to grow the economy.

When asked by the regulatory reform bill is so broad, he pointed out that many of these issues are interrelated, concluding that “the ankle bone is [ultimately] connected to the shoulder bone.”

Shelley Parratt of the SEC’s Corporation Finance Division gave the afternoon keynote on Day 2 of Compliance Week 2010. She spoke about the Commission’s program of enhanced disclosure.

With 10K companies filing and SOX requiring the Commission to review every companies filing at least once in three years, she said that the SEC has to use their resources appropriately, and the filter that they use is how will the information be used by investors.

On executive compensation, she acknowledged that this is a very emotional topic. The SEC is trying to provide a clearer and more complete picture of what executives get paid. First, companies must provide a framework for how they make compensation decisions, but the SEC is interested in how the framework is used in real decisions. Also, the SEC is focusing on performance targets, how those targets change, and whether those targets are disclosed. “A company must engage in a thoughtful discussion about its disclosure decisions.” It is not sufficient, for instance, to just say that the target is “challenging” but should be put in context of historical performance.

On disclosure about the board and company leadership, Parratt was very clear that Chairman Shapiro is interested in increased disclosure on leadership choices and risk oversight. She said that there is no requirement for a risk committee. Different companies may choose different approaches to discharge their responsibility for risk oversight.

Regarding non-GAAP financial measures, Parratt said that disclosures should be consistent across filings and other communications. In other words, if a company uses non-GAAP financial measures in its earnings call, they should also use those measures in their filings. In no circumstances, however, should those measures be misleading, whether they are in a filing or not.

Regarding climate change, Parratt was careful to state that the Commission was not taking a position on the potential effects of climate change

During the Q&A session, Editor-in-Chief Matt Kelly asked about the current quality of the enhanced disclosure filings. Parratt acknowledged that “what we see in the first year of disclosure is often vastly different than what we will see in the second,” but noting that the first year’s disclosures aren’t necessarily out of compliance, inadequate, or poor, implying, of course, that this year’s proxy filings are all of the above!

Risk management best practices, strategic planning, networking and high energy were in abundance at OPUS 2010 – the sixth annual OpenPages User Symposium which witnessed continued growth in attendance. Featured topics at OPUS 2010 – where over 150 risk management professionals recently gathered from North America, Europe, South Africa and Asia, centered around evolving risk management strategies, risk convergence and implementing proactive compliance programs.

OpenPages President and CEO Michael Duffy kicked off Day One of the three-day user forum with the opening keynote address titled, ‘From Risk to Performance’ where he highlighted the evolution of risk management over the last decade and shared with attendees his vision for how risk management must adapt to the economic, regulatory and political pressures facing all companies today.

This was a common theme throughout OPUS 2010 as leading risk practitioners discussed the changes seen in the market over the past few years and how OpenPages customers are now in a unique position to provide valuable risk intelligence that will drive improved performance for their companies.

Following Michael Duffy’s opening keynote address, Madoff whistleblower Harry Markopolos outlined the red flags, warning signs and critical audit steps that companies need to be aware of to prevent similar events from occurring in the future. Following his keynote, Harry spent the day speaking to attendees, signing copies of his new book ‘No One Would Listen’ and sharing his thoughts on upcoming financial regulation (check out Pat O’Brien’s blog for more detail).

Julian Parkin, Group Privacy Programme Director at Barclays kicked-off Day Two with a fascinating case study on how Barclays has leveraged OpenPages for its risk management initiatives across the enterprise and across evolving risk types. Parkin described his target state as “a single view of risks, controls and governance across the organization.”

Throughout the three days, sessions were led by risk managers from a variety of customers and partners – American Express, Barclays, Carnival Corporation plc, Duke Energy, IBM, PwC and Williams Companies. Stay tuned for more details on these sessions in upcoming blog posts.

Thank you to all who attended, we look forward to seeing you at OPUS 2011!

The Senate voted on May 20 to close debate on a far-reaching financial regulatory bill, which clears the path for Congress to approve a broad expansion of government oversight of the increasingly complex financial markets. The goal is to prevent a repeat of the 2008 economic crisis and, according to President Obama, the new financial regulations will “protect consumers, protect our economy, and hold Wall Street accountable.”

I have read several books on the financial crisis over the last couple of months, including:

The common theme through all of these books is that there is plenty of blame to spread around when looking for the root causes of the financial crisis. Mistakes made by regulators, legislators, and ratings agencies had as much to do with the crisis as the greedy and heedless Wall Street firms who were turning subprime mortgages into exotic, toxic financial products that they made a fortune laundering and reselling.

The danger posed by this deranged edifice built on the unstable foundation of subprime mortgages, and the insanity of the growing and highly leveraged trade in mortgage derivatives was not foreseen by government regulators, Treasury officials or the Fed.

Over the last decade, Washington legislators were busy deregulating the Financial Services industry (e.g. the passing of the Gramm-Leach-Bliley Act in 1999 that repealed much of the Glass-Steagall Act) and pressuring financial services companies to provide mortgage loans to low-income groups (Fannie Mae and Freddie Mac were strong-armed into buying subprime loans).

The rating agencies who were supposed to police these securities were completely duped by the financial services companies. They were handing out Triple A ratings to CDOs comprised of adjustable rate, no doc, subprime loans. Not to mention the conflict of interest that is present since the rating agencies are paid by the very firms whose bonds they are asked to judge.

Maybe there is hope on the horizon, since the Senate recently approved a provision that will thrust the government in to the middle of the process of determining who rates complex bond deals. Under the new provision, the SEC will establish and oversee a credit-rating board that will act as a middleman between issuers seeking ratings and the rating agencies.

Can we count on the SEC to make an improvement? Harry Markopolous’s book (“No One Would Listen”) about the Bernie Madoff scandal paints a grim picture of the SEC and the incompetence of the people he interacted with when trying to alert them to the multi-billion dollar Ponzi scheme Bernie was running. I recently had lunch with Harry at OPUS (OpenPages User Symposium) and he was very skeptical about all of the new regulations that appear to be headed our way. His view is that the government is focused on the battle we just fought and the regulators do a poor job at enforcing the regulations in the first place.

Can we really expect that President Obama’s optimism will become reality? Don’t hold your breath.

“Ask the engineers” discussion, which was a chance for our customers to talk to our product visionaries and get some additional tips, as well as special insights into our product vision for the next year.

We thank all our customers and partners for participating this year. You helped make it great!

OPUS has been a tremendous success so far. We’ve heard from thought leaders and customers, had great dialog within sessions, and more great keynote presentations. Here’s a video with more highlights from Day Two of OPUS 2010.

Mary Tuuk, EVP and CRO of Fifth Third Bank, spoke at Friday morning’s general session. US Banker Magazine has named her as one of the top 25 women to watch in banking, and she gave an interesting talk on the CRO perspective, “Leveraging Risk Management for Strategic Advantage.”

After discussing an historical perspective on the recent financial crisis, she discussed some of the lessons learned. First, risk management was too siloed from the rest of the institution. In many cases, she said, risk management runs stress tests, etc, but tended to be isolated from business decisions. Also, they failed to recognize the correlation of risks across domains, e.g. credit risk, turned to liquidity risk, turned to reputational risk, which exacerbated the liquidity risk, and led to operational risk as the bank had to make new kinds of decisions. She also commented that this issue of risk culture is important: how are decisions really being made?

She showed an interesting graphic of how risk management can be a strategic advantage. She defines Economic Net Income as accounting net income – expected loss – cost of capital. In this way, risk management can help risk-adjust earnings for the expected loss of, say, a particular client relationship. Her graphic showed how those companies that don’t do this kind of evaluation will be stuck working with customers that those who do have turned down.

She ended her discussion on how convergence drives advantage. She talked about five areas of convergence: integrated governance (transparent decision-making); risk identification, aggregated measurement and monitoring; defined appetites; stress testing; and, risk culture. She gave some examples of how to assess risk culture:

Former Federal Reserve Board Governor and PCAOB Chairman Mark Olson spoke during the general session this morning about the proposed legislation for financial services regulatory reform, the main point of which is to ensure systemic stability for the financial system. He made an interesting point, saying that in the US “we have a limited tolerance for financial volatility” and that regulatory reform aims to dampen that volatility.

Regarding “too big to fail,” Olson said that he agreed that we should focus legislation to manage this risk to taxpayers but that this “is a very complex task” that shouldn’t be understimated. He acknowledged that regulators and institutions agree that the soundness of the financial system requires better understanding the systemic risk posed by individual institutions, but the question is the best way to address this problem. He did note that the Dodd bill attempts to clarify the Fed’s role in “unusual and exigent circumstances” under section 13-3, which should provide more clarity as to what sort of consent is required for special action by the Fed, but, in the end, he said that the bill doesn’t address “too big to fail.”

He also said that the “tone and approach” of different regulatory agencies varies and that the bill will attempt to clarify responsibilities, although there are still certain areas of the bill which would lead to an overlap in responsibilities.

He noted that the Dodd bill will require risk committees that will require “timely and comprehensive information”, and he perceptively commented that the effectiveness of these committees will be dependent upon the quality of this information.

During the Q&A period, one member of the session asked about the so-called “shadow banking system” or financial services outside the regulatory scheme. Olson said that the consumer protection agency is trying to address this, and noted that the FTC had not been as aggressive as it should have been.

Overall, while Olson said that we would most likely get a bill passed this year, his comments did not make it clear that we would be getting the right one, or that it would truly address the complexities of managing risk in our financial system.

The RIMS conference hits full stride today with luncheon keynote speaker Nicholas Nassim Taleb – author of ‘The Black Swan: The Impact of the Highly Improbable.’ Taleb’s book, which was the #1 highest selling nonfiction book published in 2007 on Amazon, is based on the notion that low frequency (rare) events such as a ‘black swan’ are unknowable or highly improbable, yet often have the highest impact. With a second edition due out in May, Taleb takes on a unique perspective on risk management and life in general. He recently Tweeted: “Social media are antisocial, health foods are empirically unhealthy, knowledge workers are ignorant, & social sciences aren’t scientific.” On his home page, he describes his philosophy as:

“I am interested in a systematic program of how to live in a world we don’t understand very well –in other words, while most human thought (particularly since the enlightenment) has focused us on how to turn knowledge into decisions, I focus on how to turn lack of information, lack of understanding, and lack of “knowledge” into decisions –how not to be a “turkey”. My last book The Black Swan (and the 4th Quadrant papers) drew a map of what we don’t understand (the ONLY attempt in the history of thought to set a clear and systematic limit to what we don’t know); my current work focuses on how to domesticate the unknown “what to do in a world we don’t understand.”

His keynote is a can’t miss event for risk managers (or anyone in need of some soul searching!).

Expected to be released at RIMS 2010 this week in Boston is a new study on enterprise risk management. Sponsored by Marsh Inc. and the Risk & Insurance Management Society Inc. — the study titled “Excellence in Risk Management VII: Elevating the Practice of Strategic Risk Management” includes a 418 participant survey. When asked, “What barriers are in place that may prevent your senior management and board of directors from fully understanding the risk landscape of your organization?,” 40% of the respondents cited “siloed approaches to risk management.” Another thirty-six percent cited lack of awareness of concepts such as enterprise or strategic risk management, and 34% cited inadequate representation of the risk management function at the board and executive level.

For the forty percent of the survey participants representing public companies, the recent SEC disclosure rule should be reason for concern. SEC rule 33-9089 which became effective February 28, 2010 requires that boards describe their risk oversight process. The new disclosure rules relate to among other things, the relationship of a company’s compensation policies and practices to risk management, the background and qualifications of directors and director-nominees, board leadership structure and the board’s role in risk oversight. The discussion of board level oversight is a common theme at RIMS 2010 and promises to remain timely as the SEC continues to emphasize accountability moving forward.

RIMS 2010 kicked off in Boston this week with no signs of an economic slowdown. The Risk & Insurance Management Society Inc. (RIMS) is celebrating its 60th anniversary on the historic Boston waterfront with its annual conference being held at the Boston Convention and Exhibition Center. RIMS includes greater than 10,000 risk managers from over 3,500 organizations ranging from Fortune 500 enterprises to government, nonprofit and service organizations.

The conference, now in its 19th year includes sessions on Enterprise Risk Management, Loss Control, Finance, Risk Management and Insurance among others. RIMS president Terry Fleming described the past 10 years as the most important in RIMS’ development, “risk management as a discipline has been thrust into center stage in the wake of catastrophe after catastrophe, including the global financial meltdown. The need for risk management has been highlighted more than ever before and RIMS has stepped up to the proverbial plate by testifying before congress, identifying new areas of interest in the discipline, creating inroads abroad and crafting the very definition of enterprise risk management.”

Now that healthcare reform has passed, the Obama administration has turned its focus on financial services regulatory reform. Today, Obama gave a speech on the administration’s position and priorities. The House has already passed a bill, and the senate may take up one this week, largely authored by Senator Dodd. A major sticking point has been the fund to facilitate an orderly liquidation (labeled a “bailout” fund by some critics) and the way to handle derivatives, but Senator Grassley’s vote yesterday to approve a senate committee’s plan for derivatives trading gave new momentum to a bipartisan effort on regulatory reform, and it looks increasingly likely that in the coming months (if not weeks) we’ll see a major overhaul of the regulations that govern Wall Street.

Further, the SEC demonstrated late last week that they are one government agency that is going to take their oversight responsibilities seriously. Their civil suit against Wall Street giant Goldman Sachs sent shock waves through the financial services sector. It’s clear that there’s a major shift on in the way regulators are regulating. Whether or not you agree with the merits of the suit, SEC Chair Shapiro is sending a message to the industry that they are going to be watching closely.

A common theme here is transparency: the SEC argues that Goldman didn’t provide adequate disclosure about the nature of the Abacus investment opportunity; Obama argues today that “reform would bring new transparency to many financial markets.” We also see this as a common theme with our customers–they are looking for greater transparency into the risks in their business. We see this push for regulatory reform and increased oversight as driving the demand for a new information architecture that provides this transparency to managers, executives, board members and regulators. Of course, many companies are finding that it can help you run your business better, too.

Deloitte ERM professor and OPUS 2008 Keynote Speaker Mark Beasley just released an update to the NCSU led ’Report on the Current State of Enterprise Risk Oversight.’ Written in conjunction with the American Institute of Certified Public Accountants (AICPA), the research focused on how boards and senior management teams are responding to the challenges and increased emphasis on board oversight of risk management processes – particularly in light of the new SEC proxy disclosure rules. The study produced some interesting findings:

Over 63% of respondents believe that the volume and complexity of risks have changed “Extensively” or “A Great Deal” in the last five years

Thirty-nine percent of respondents admit they were caught off guard by an operational surprise “Extensively” or “A Great Deal” in the last five years

When boards of directors delegate risk oversight to a board level committee, most (65%) are assigning that task to the audit committee

64% of those audit committees are focusing on financial, operational, or compliance related risks

Only 36% indicate that they also track strategic and/or emerging risks

These findings should be concerning if your organization is looking to meet the requirements of the new SEC disclosure rule which requires among other things, that boards describe their risk oversight process. Here are some thoughts for your team to consider as you prepare:

How does your team create and foster the appropriate risk culture?

Have you established a risk management framework for identifying, measuring, monitoring, managing and communicating risks across all functions?

Do you have plans to enhance your approach to risk management by linking strategy, operational execution and critical risks?

We recently hosted a webinar titled ‘Risk Oversight and the New Sec Rule’ which describes the tools, reporting and resources that you’ll need to provide to the board of directors as they look to meet the new SEC ruling. Check it out here.

With over $400b in assets under management and 57,000 employees in 38 countries, Old Mutual is a Fortune 500 company (#225) with an operational footprint that spans all 7 continents. Now based in London and listed on the FTSE100, Old Mutual was founded in South Africa in 1845 as the 166-member Mutual Life Association of Cape of Good Hope.

While steeped in history and tradition, Old Mutual has a progressive approach to risk management which includes a ‘risk governance framework’ based on a ‘three lines of defense’ model:

functions owning and managing risk

functions overseeing the management of risk; and

functions providing independent assurance.

Old Mutual recently adopted OpenPages Operational Risk Management (ORM) to improve its enterprise-wide risk management efforts. OpenPages ORM is being used by numerous global organizations like Old Mutual to manage risk through self-assessments, end-user surveys, automated workflow and executive dashboards that provide management with the visibility, control and decision support required to understand and manage risks throughout the organization.

Today we announced that Julian Parkin, Group Privacy Programme Director at Barclays will deliver the day two keynote address at OPUS 2010. In his address titled, “Supporting Risk Management Initiatives Across the Enterprise with OpenPages,” Julian will discuss how Barclays has leveraged OpenPages for its risk and compliance management initiatives across the globe including data privacy, operational risk and financial controls management.

“As a global financial services organization, Barclays has wide ranging requirements for managing risk and compliance activities across the enterprise and across the globe,” said Julian. “The OpenPages platform provides the integration layer for enterprise risk management, assessment, monitoring and reporting which delivers risk intelligence to business end-users and management. I look forward to discussing successful risk management approaches and how the OpenPages Platform can be leveraged to drive sustainable improvements.”

If you’re an OpenPages customer and would like to learn more from Julian and the extensive cast of industry experts and practitioners at OPUS 2010, register now by clicking here.

Is risk management a strategic differentiator? When Toyota shifted the culture to one that valued and rewarded volume production, did it lose sight of quality as a strategic differentiator? Is Kermit the Frog a risk manager?

In the first installment of a multi-part Risk Chat with Eric Krell of the Big Fat Finance Blog, we touched on several such pressing topics. Check out Part One.

Just attended a great session presented by Matthew Neels, Chief Compliance and Risk Officer at Capital One. Mr. Neels focused on building board interaction and driving board attention to the right areas of risk through an integrated risk management framework. He began with an interesting question, “Should you be using an implicit or explicit framework and how is your board making a decision on that framework?” The correct answer of course is: both are required to effectively manage risk.

He explained how explicit frameworks enable structured board discussions through a consistent and common approach, whereas implicit frameworks rely on “corporate culture and deep experience.”

In his session, Mr. Neels also detailed how multiple stakeholders use frameworks for ‘decision making, reporting and escalation’ and in particular, how the Board uses frameworks to:

Provide an objective yardstick or measure

Create a basis for understanding

Identify situations and areas that need attention

Highlight areas doing well

Help differentiate between expected and unexpected

The discussion then moved to how “driving board attention to the right areas can be difficult” as board reporting is often a “laundry list of potential risks, current issues and decision requests.” He stated, “Without a framework you have everything coming in at once without context.” He then offered several suggestions for preventing information overload:

Specific and quantifiable tolerance measurement is critical to driving board attention to the right areas

Set your risk appetite

Create a risk framework

Determine standard metrics and KRIs

Establish risk tolerances

Establish risk limit

The goal according to Matthew is to establish a “common scale that enables cross-category comparisons and risk aggregation.”

Against the backdrop of Copley Square, Boston on St. Patty’s Day, Yousef Valine, Executive Vice President at First Horizon described the need to focus on non-financial risk and particularly, operational and business risk. GCOR (Global Conference on Operational Risk) 2010 is the fourth annual event hosted by the RMA (Risk Management Association). In his keynote address, Mr. Valine stated that while most believe earnings volatility is a factor of financial risk, earnings volatility can be attributed to non-financial risk 30% of the time – operational risk (12%) and business risk (18%) – versus financial risk 70% of the time. The key message being that business managers need to be operational risk managers at heart and need to foster and facilitate a strong risk-aware culture.

Mr. Valine also outlined how during 2002-2008, losses realized from the following events totaled $42b!

Enron, WorldCom, Adelphia scandals

Late mutual fund trading

Overdraft and credit card excessive fees

Auction rate securities

Mortgage fraud

Of course this makes the Madoff scandal at $65b even more troubling (note: Harry Markopolos will provide an in-depth review of the factors that enabled Madoff and how to prevent similar fraud in the future in his Keynote Address at OPUS 2010). Yousef emphasized that 45% of the loss amount ($19b) was the result of loss events in “Client Products and Business Practices” and that while it represented 45% of losses, the number of events (frequency) only represented 11% of total. Conversely, “Execution, Delivery and Process Management” represented 35% of frequency but only a fraction of the dollars lost. Ultimately, organizations need to consider severity versus frequency when reviewing loss events and mitigation practices.

Patrick de Fontnouvelle of the Federal Reserve Bank of Boston presented a an interesting session at GCOR 2010 titled, “The Role of Operational Risk in the Recent Financial Crisis.” His basic premise was that the financial crisis of 2008 could have been avoided had financial institutions implemented and followed basic operational risk management best practices. And more importantly, that there is a history of operational risk management best practices being violated repeatedly throughout history with predictable consequences. He recommended three steps to moving forward and preventing similar crises in the future:

We must work to develop and normalize operational risk management and measurement

Outreach is critical: there is a lack of understanding or a misunderstanding regarding the nature and impact of operational risk

Governance: the risk function must have sufficient stature and authority to take action against questionable practices (in other words they must have a seat at the table)

Revised reporting of stock and option awards to company executives and directors in the Summary Compensation Table

Potential conflicts of interests of compensation consultants

What might not be entirely self-evident is when they take effect. Help is provided by PricewaterhouseCoopers, which issued an advisory highlighting the timing for these new disclosure requirements, as follows:

The effective date of the new rules was February 28, 2010. Accordingly, the Form 10-K and proxy statement of a calendar year company must be in compliance with the new disclosure requirements if filed on or after February 28, 2010. If a calendar year-end company files its proxy statement on or after February 28, 2010, the proxy statement must comply with the new disclosure requirements. This is true even if the 2009 Form 10-K was filed before February 28, 2010.

An existing SEC registrant with a 2009 fiscal year that ended before December 20, 2009 is not required to comply with the Regulation S-K amendments until it files its Form 10-K for fiscal year 2010. As a result, any registration statements filed before its 2010 Form 10-K is required to be filed would not be subject to the new Regulation S-K amendments. A company may early adopt the new disclosure provisions; however, if the company elects to voluntarily comply with the disclosure changes regarding stock and option awards, it must also comply with all the other applicable Regulation S-K amendments.

If a new registrant (e.g., a company completing an IPO or a registration statement on Form 10) first files its registration statement on or after December 20, 2009, compliance with the Regulation S-K amendments would be required for such registration statement to be declared effective on or after February 28, 2010.

Recently purchased by The Bank of Tokyo Mitsubishi (the 2nd largest banking group in the world), Union Bank, N.A. out of San Francisco has been asked to lead the way for the entire organization with respect to adopting Basel II and the advanced measurement approach for operational risk measurement.

Marty Blaauw, Senior Vice President of Operational Risk at Union Bank stated, “At Union Bank, we are striving to use the advanced measurement approach for operational risk measurement and OpenPages provides an integrated operational risk management framework that will assist us in this goal. We are confident that OpenPages’ solution will allow us to streamline our operational risk management and measurement process and provide the integrated risk reporting and dashboards being requested at the executive level.”

With $86 billion in assets under management and 340 banking offices in California, Oregon, Washington and Texas as well as two international offices, this is a strategic initiative with enterprise-wide implications. Union Bank purchased licenses for the entire OpenPages Platform and selected OpenPages ORM as the operational risk system of record for managing risk assessments, key risk indicators (KRIs), issue management and scenario analysis, as well as integrated risk reporting.

Lesson 3: You cannot afford to overlook or underestimate the correlation of risks.

There were two innovations that fueled the growth in the subprime mortgage market. The first was credit derivatives: in its simplest form, a credit derivative is a contract between two parties in which the seller agrees to compensate the buyer if a loan goes into default. The second innovation involved a process called securitization, which traditionally involved lenders selling their loans to an investment bank. The investment bank “bundled” the loans together and sold pieces of the bundle to pension funds and other investors. The original lenders, having offloaded their loans, could make new ones. The investors acquired a slice of the loan bundle and its interest income without having to go to the trouble of meeting and assessing the borrowers.

The innovation was securitizing not just loans but credit derivatives. It was first applied to corporate loans which tend to have very little correlation (correlation is the degree to which the defaults in any given basket of loans might be interconnected). But then it was carried over to mortgages and more importantly subprime mortgages. The financial services sector industrialized the procedure, and began selling securitized debt and derivatives on an extraordinary scale. The fatal mistake was not realizing that subprime mortgages were highly correlated, especially in an economy where interest rates were rising and housing prices were falling nationwide. Moreover, subprime mortgages had intrinsic flaws (such as issuing loans with escalating interest rates to homebuyers with dubious credit ratings) that inevitably resulted in extremely high default rates.

J.P. Morgan opted not to get into this market, a very smart expression of a cautious corporate risk culture that ultimately saved the company from the disasters others suffered. Fool’s Gold gives a great account of how Morgan risk managers struggled to understand how other banks could be making so much money and covering their risks at the same time. To their credit, they did not enter the market because they understood the risk and did not have a way to mitigate it.

Lesson 4: Do not think that models are anything more than a guide or a compass.

Models are useful but they have limits. They are essential for navigating in the world of modern finance, but they are not infallible, no matter how well crafted they are. Models are only as good as the data that is fed into them and the assumptions that underpin their mathematics. The key simplifying assumption on which the credit derivative models rested was that the future was likely to look like the recent past. New financial innovations have no way to be tested relative to their risk level except by means of computer simulations that use historical data. But there are no statistics that truly represent the environment surrounding the new instrument and, as a consequence, no one really fully knows what are the risks associated with the instrument. This is especially true of risks connected with the “correlation” factor. Hence, innovations can always have “surprises” connected with their usage. Remember that models are only tools and should not be used without human intelligence.

Lesson 5: Regulation is not a panacea.

As the crisis unfolded, there was a lot of blame placed on regulators and regulation. Although the Federal Reserve had the legal authority, they did not have the inclination to regulate the behavior by banks that led to the disaster. Alan Greenspan, head of the Fed, admitted that he had made a ‘mistake’ in believing that banks would do what was necessary to protect their shareholders and institutions. This “absence” of the oversight of the bank regulators has resulted in lots of discussion around new regulations, new regulatory agencies and so on. Tett’s book does an especially nice job in explaining how banks worked to get around capital requirements using the new tools and instruments. Part of the problem connected with the absence of the regulators during this period of time was that the banks worked very hard to expand their use of leverage in ways the policy makers could not see. Of course, this came back to haunt them when the collapse occurred. Financial institutions will always attempt to get around regulations in one way or another because it is profitable to do so. In addition, regulators are always behind what is going on in the industry. This is just the nature of the relationship.

Lesson 1: If it sounds too good to be true, it probably is.

Fool’s Gold is a great title for this book. As Tett writes, “For the first time in history, banks would be able to make loans without carrying all, or perhaps even any, of the risk involved themselves. That would, in turn, free up banks to make more loans, as they wouldn’t need to take losses if those loans defaulted.” Doesn’t this sound like a too-good-to-be-true story? It was and the mistakes that financial institutions made nearly brought down the global banking system. As risk managers we need to dig deeper and get to the bottom of “deals” that are too good to be true.

Lesson 2: There are many tools that can help reduce risk, but used inappropriately they can actually increase risk.

Warren Buffet defined prophetically in 2003 that the new financial tool called derivatives were “financial weapons of mass destruction.” The crucial point about derivatives is that they can do two things: help investors reduce risk or create a good deal more risk. Everything depends on how they are used and on the motives and skills of those who trade in them. Some investors like derivatives because they want to control risk, like wheat farmers who prefer to lock in a profitable price. Others want to use them to make high-risk bets in the hope of making windfall profits, kind of like playing the lottery. Credit derivatives were used to manage the risk attached to the loan book of banks and these tools offered a way of controlling risk, but they could also amplify it; it all depended on how they were used. In the subprime CDO market they greatly amplified the risk and the majority of senior managers within the financial services firms did not understand this risk.

I work in the computer software business and experienced firsthand the dot-com bust of 2000. As VP of Corporate Strategy for a public software company, I was involved in M&A activities, strategic partnerships and large OEM deals with dot-com companies. I rode the wave of going from $15/share to $95 and back down to $5. I understand the difference between client/server, n-tier, and cloud computing, and the subtleties between ISV, OEM and VAR relationships (in this context VAR means “value added reseller” not “value at risk”). I know why the dot-com era was a façade and why the bubble eventually had to burst.

As I read accounts of what was happening during the subprime crisis, I struggled to understand key concepts such as CDS (credit default swap), CDO (collateralized debt obligation) and SPV (Special Purpose Vehicle). I blamed my inability to grasp what was really happening on my lack of experience with complex financial products: I wasn’t “in the business.”

After reading Tett’s book, I now realize that I wasn’t the only one who couldn’t figure out what was going on. “As the pace of innovations heated up,” Tett writes, “credit products were spinning off into a cyber-world that eventually even the financiers struggled to understand. The link between the final product and its underlying assets was becoming so complex that it appeared increasingly tenuous. . . . Most financiers lacked the cognitive skills to truly understand the connections in this new world.” Oh yes, and “even regulators seemed only vaguely aware of what the banks were really doing.”

I highly recommend reading Tett’s book. She is able to decipher Wall Street mumbo-jumbo in terms that a lay reader, or at least a determined lay reader, can understand. Tett provides a rich cast of characters and a storytelling device that helps make this book compelling fun to read. More importantly for risk managers, however, you will also gain a new appreciation for the significance of sound risk management for your organizations. There are lots of reasons why the crisis developed, for example greed, carelessness, and deceptive practices. But across the financial services industry, systemic weaknesses in risk management culture, discipline, and implementation of best practices added fuel to the flame.

In a subsequent blog I will summarize some of the key risk management lessons that Fool’s Gold uncovers.

Financial services firms, pharmaceutical companies and other heavily regulated organizations have long devoted significant resources to a compliance office, typically with a chief compliance officer and strong support staff. Multinationals have embedded part of the compliance function locally, typically with reporting to both the central compliance office and local management. But companies not facing heavy regulation, even large ones, have struggled in deciding whether a full time compliance office is needed.

Well, now there are clear indications that a full time role is becoming more common. Compliance Week recently reported on two studies saying just that. One is from the Open Compliance and Ethics Group (OCEG), who’s survey shows 75% of the 365 respondents has a chief ethics and compliance officer or similar title with “top-level oversight of compliance.” And 40% said the compliance chief has no other role in their company, and for companies with over $1 billion in revenue, the number is 55%. Where the title is shared, it’s with the company’s legal department in 23% of the time. The other survey was conducted by the Society of Corporate Compliance & Ethics, showing that of 560 respondents, 97% have a designated compliance or ethics officer, with 36% having no other title. Of those with another role in the company, 20% share responsibilities in the legal department. As with the OCEG study, other shared roles range from the chief audit executive, CFO, and head of human resources, among others.

Also telling about the relative importance of the compliance officer role is the reporting relationships. The SCCE study, for instance, shows the chief compliance officer reporting directly to the CEO in 55% of the organizations. And the compliance officer provides reports to the board of directors or a board committee both in writing and face-to-face in 80% of the companies. And with a more senior role comes higher pay. The OCEG study shows the most common level of compensation (36%) is between $150,000 and $250,000, with 20% reporting pay at $350,000 and above, not counting bonuses, stock options or other forms of pay. As we might expect, pay in larger companies is at the higher end, with companies with more than $1 billion in revenue showing 23% with total compensation at the $450,000 level or higher.

Certainly, if you’re directly or tangentially involved with compliance, these numbers probably aren’t surprising. With the regulatory spotlight shining brightly and companies struggling to keep costs from soaring out of control and to enhance compliance program effectiveness, companies are looking to strengthen the role of their chief compliance officer.

OPUS is a unique gathering where OpenPages customers come to share experiences and learn. In its 6th year, OPUS is steeped in tradition and one of the foremost traditions is pairing local culture and flavor with social networking. OPUS 2010 continues that tradition with the announcement of the OPUS 2010 Gala to be held at the historic Boston Public Library, providing a true Boston experience with local culture, fare and history.

Home to over 1.2 million rare books and manuscripts including one of the rare Gutenberg Bibles and several first edition folios by William Shakespeare, the Boston Public Library is also known for its rich architectural history. Founded in 1848, by an act of the Great and General Court of Massachusetts, the Boston Public Library (BPL) was the first large free municipal library in the United States. The present location at Copley Square in Boston is across the street from OPUS 2010 and has been home to the Library since 1895, when architect Charles Follen McKim completed his “palace for the people.”

The OPUS 2010 Gala will begin with a cocktail reception overlooking the majestic outdoor Courtyard whose arcaded promenade is a replica of the Cancelleria Palace in Rome. Dinner will follow in the Popular Reading Room which looks out onto Copley Square and the Old South Church. The room features an ornate architectural vaulted ceiling with interlocking Guastavino terra cotta tiles and a distinct bookcase-lined mezzanine on two sides.

Desserts, music and fun will round out the evening in the beautiful Abbey Room where the famous “Quest of the Holy Grail,” murals by American artist, Edwin Austin Abbey have graced the walls since 1895. In true OPUS tradition, The Abbey Room will host the OPUS casino where you can try your hand at blackjack, roulette, and craps – not sure this is what Mr. Abbey had in mind! If you’re an OpenPages customer, we hope you will join us, it promises to be a fun evening with a little bit of culture on the side!

CapGemini hosted a conversation on enterprise risk management this morning at GARP. Panelists touched on a number of issues that need to be tackled for successful enterprise risk management:

Helga Houston from Phoenix Global Advisors pointed out that many banking institutions grew very rapidly over the last 10 years and for the most part the risk management infrastructure didn’t keep pace.

Bradley Farris of BB&T agreed with Houston and added that the “demands on the data side are incredible.”

Houston touched on another key point: risk information surfaced to the business needs to drive dialog with the business. Everyone agreed that risk management needs to engage with the business, to reinvent language so that risk managers can have fruitful conversations with the business. Her point was that without having buy in from the business it’s very hard to change processes to mitigate risks.

Panelists also focused on the importance on governance processes and infrastructure to support the dialog with the business. All agreed that the market and credit risk processes are typically well-supported and that there’s a lot of opportunity for improvement in the operational risk domain.

It’s clear that one of the themes of the conference is that risk managers have to engage the business with information and dialog that’s useful to enhancing the performance of the business vs. satisfying risk management needs alone.

This morning’s featured panel discussion at GARP includes several CROs and senior risk practitioners from Morgan Stanley, The Vanguard Group, Credit Suisse and Western Asset Management.

The first topic was VAR. VAR works in “normal markets.” There a question of what is the appropriate time window. One panelist remarked that it would be good to have better regulatory consistency on this issue: should companies be focused on a 1-year or 4-year timeframe, for instance?

VAR tends to distract you from the tails, and one panelist remarked that “you really need to stay focused on the tails” e.g. gap risk, liqudity risk, etc. The panelist continued to say that he’s really focused on the deep downside risk: how much money could the position/desk possibly lose. You have to be very dynamic in thinking about where you can be hit next.

The third panelist asserted, “I think VAR is worthless and pernicious and should banned,” noting that it’s not a coherent risk measure (99.9% VAR doesn’t handle a 1 in 200 year event). Also, the panelist pointed out that it doesn’t encourage diversification. He focused on scenario analysis but said that there is no easy answer.

Another panelist defended VAR as a tool that has its pluses and minuses.

The panelists then turned to the role of risk managers, and their role in predicting the future (in the context of the financial crisis). If risk is lack of information about the future, many companies failed to hedge when there was a very cloudy future (lack of information). One panelist noted that in many cases the risk management failure was more than just the technical capability of know what to do but actually a failure to be able to drive action.

The question of the changing regulatory landscape came up, with one panelist joking that CRO stands for Chief Regulatory Officer now. Another joked that he’s trying to stay away from the regulatory topic because they don’t know whether what they do will be “legal or illegal” under reg reform.

There was agreement that the FDIC has been very successful in carrying out their mission. But one panelist said that in the near term we don’t seem to on a path towards getting an effective systemic risk regulator. Another said that we’re creating systemic risk through regulatory uncertainty.

The noon panel at GARP discussed risk and performance management, with a diverse set of participants, including representation from Hess, Swiss Re, and Vanguard.

Kanwardeep Ahluwalia from Swiss Re noted that many companies are going through a derisking process right now. However, Ahluwalia cautioned that companies need to be cognizant of how much they are paying to reduce their risk. In many cases, especially now, it may make more sense to manage the risk internally to maximize performance.

What is the role of risk management in the budget process? Panelists suggested that during the budgetary process risk management should step up and call out inconsistencies between risk and performance goals. The moderator, Kevin Buehler from McKinsey, noted that many times he has found that companies in trouble have misaligned expectations between risk and reward. For instance, a company may have aggressive revenue goals to take share in a particular (emerging) market, but those goals may in conflict with a risk adjusted return on capital. However, he said that typically risk management does not normally win out in a conflict in which the CEO is on the other side, but you have to force the dialog.

Jonathan Stein from Hess argued that risk management needs to move beyond the Be Careful mantra and move into recommendations for risk mitigation. He talked about the importance of developing scenarios that help define triggers risk mitigation actions.

In general, the message from the panelists was that deeper interaction with the business allows risk managers to be more effective. This includes everything from designing risk management processes around the way the business makes money to prompting a dialog at the executive level when risk and performance expectations are not aligned.

OPUS 2010 keynote speaker, independent financial fraud investigator and Madoff whistleblower Harry Markopolos will release his exclusive story “No One Would Listen: A True Financial Thriller” on March 2.

The book, which will be made available to all OPUS 2010 attendees, describes how he and his team “The Fox Hounds” investigated Madoff and presented their case to the SEC on numerous occasions’ years before Madoff turned himself in on December 11, 2008 (approximately $65 billion later).

From May 2000 to December 2008, Markopolos and his team submitted five separate and detailed warnings to the Securities and Exchange Commission (SEC) about Madoff’s operations in an effort to launch an investigation on the validity of his practices.

During the OPUS keynote address, Markopolos will detail how his four person investigative team tracked Madoff and the Madoff Feeder Funds throughout Europe and North America and repeatedly submitted detailed reports to the SEC.

If you’re an OpenPages customer and would like to hear Mr. Markopolos discuss the red flags, warning signs and the critical audit steps that companies need to be aware of to prevent similar events from occurring in the future, register for OPUS 2010 and receive a complimentary copy of his new book. It’s promising to be a “Thriller”!

Accelerated filers of course have long been subject to SOX 404 (a), requiring management reporting on the effectiveness of internal control over financial reporting, as well as section (b), where auditor attestation is required. While having to incur tremendous costs, with some companies seeing little commensurate benefit, others have seen improvement in business process effectiveness, internal control beyond financial reporting, and improved compliance more broadly. Non-accelerated filers, already subject to management reporting, have gained another reprieve from the auditor attestation requirements of section (b). Great news, many are saying. They hail the opportunity to avoid incurring additional costs and taking focus away from running and growing their businesses.

Recently I came across an article in Directors & Boards by a former colleague of mine that offers a different perspective, which in my view is worth considering. His view is, in addition to the SEC losing credibility – agreeing to another deferral after making clear and definitive statements that no more would be forthcoming – that requiring and adhering to section (b) offers benefits beyond the costs, for a number of reasons. These include (1) Smaller companies traditionally have less sophisticated systems and less experienced individuals in management positions, with statistics showing greater incidences of fraud and restatement of financial results (2) The 404(b) compliance costs have come down with the advent of AS 5 and COSO’s guidance for smaller businesses (3) Studies indicate that companies that are not SOX compliant or have material weaknesses in their internal controls receive a lower valuation, whereas those that are compliant receive higher multiples when sold (4) These companies are less likely to take advantage of IT solutions that provide enhanced efficiently and management capabilities well beyond better controlled financial reporting, and (5) CEOs and CFOs who already must certify to the effectiveness of financial reporting controls are on the hook by themselves, failing to receive the comfort provided by auditor attestation.

Certainly, these arguments are worth considering by senior managements and boards of companies still waiting to see whether and when the 404 (b) requirement ultimately will become effective.

If you’re involved in developing, enhancing or monitoring your company’s risk management activities, you probably know that “risk” and associated terms are used very differently by different people. This too often is the case throughout an organization, right up to the board level. Indeed, experience shows that senior managements and boards think they’re talking the same language, when they are not.

How often have you heard the terms “risk assessment,” “risk management,” and “enterprise risk management” used almost interchangeably? If your experience is anything like mine, it happens all the time. My sense is that busy executives and directors understand the basic concept of risk and don’t take the time to get into what are perceived to be details in terminology. The resulting problem, however, is that we talk at cross purposes and misunderstandings abound. Risk related professionals know well that a risk assessment is a point-in-time snapshot of risks in an organization, risk management includes a number of activities in identifying, analyzing and managing risk, and enterprise risk management raises the bar to a still higher level.

A fundamental issue is that too often top managements and boards believe their organizations have in place effective enterprise risk management processes when in fact they don’t. They know the words, and truly believe they deal with risk as well as any organization. They believe their senior management team focuses on risk and drives risk management throughout the organization. And what we’ve often found is that they are wrong.

It is not a simple task to change the minds of high powered CEOs and directors. And one wonders whether it’s worth one’s political capital to push this issue. But this is so important a matter that to know there’s misunderstanding and allow it to continue is dangerous – for top management, the board, the company, and all of its people.

Risk management is a hot topic at Davos this year. Over on the Forbes blog, Paul Maidment notes that companies are thinking about how to improve their risk management approach, prompted in part by the new SEC proxy disclosure rules, though many are opting not to have a so-called risk committee. Maidment notes that management is responsible for educating board as to the state of risk exposure in the company. We would argue that there’s a step that has to happen first: companies have to put in place an information architecture that can provide transparency to that exposure in the first place. A rat’s nest of Excel spreadsheets won’t do the job.

Coincident with Davos, PwC released their 13th annual global CEO survey which found an up uptick in CEO sentiment worldwide. The survey also found that over 83% of companies are planning ‘a major change’ to their risk management approach. This is higher that for any other aspect of their strategy, organization or operating model. Clearly, we’ve reached the tipping point on risk management. Companies that don’t address this critical area of their business risk being left behind.

Rounding out the 2010 GRC Wish List at #10 is “Increased Agility to Respond to New/Changes in Regulations.” While there’s a lot of talk about regulatory reform, and Gordon Burnes noted that “Regulatory Clarity” was #1 on the 2010 GRC Wish List, we may be getting closer to actual regulation this year.

President Obama, in his first State of the Union address, called for “serious financial reform.” He stated, “We can’t allow financial institutions, including those that take your deposits, to take risks that threaten the whole economy. Now, the House has already passed financial reform with many of these changes. And the lobbyists are trying to kill it. But we cannot let them win this fight. And if the bill that ends up on my desk does not meet the test of real reform, I will send it back until we get it right. We’ve got to get it right.”

As regulatory pressures continue to mount, and given that the regulatory environment will only increase in complexity, businesses that take a more practical, cross-regulatory approach to managing compliance will alleviate increasing cost and complexity while gaining valuable insight into risks to key business processes that could affect corporate performance in the form of legal action, fines and penalties or damage to company reputation.

This is where the need for “Increased Agility” comes in. Your risk and compliance processes will evolve over time to meet these changing business and regulatory requirements. Your GRC solution needs to be flexible and allow you to quickly adapt your risk and compliance management framework to meet changing requirements, while minimizing the impact on your business operations. Be careful of solutions that either force you to change your processes or develop custom extensions to the software to meet new regulations or requirements. Changes to your methodology due to an inflexible technology solution will negatively affect your ability to incorporate integrated risk management into your business operations.

One of the key themes that developed during 2009 was that risk management is more crucial than ever to organizations, and failing to deal with it is not an option. Companies are seeking ways to gain a more complete picture of risk, assess exposures across business lines and aggregate these into a firm-wide view. Collaboration with and support from the business lines is critical to achieve these goals as we discussed in #2 on our list: “Better Collaboration with the Business.” But if you are looking for better collaboration and you’re investing in risk management systems (#6), you probably can also relate to #9 in the 2010 GRC Wish List: “Risk Applications that are Easily Adopted by the Business.”

How do you support adoption of your risk management application by the business? Here are a couple of things you might want to consider:

Involve the business in the application selection and implementation process. Participation by the business is a great way to build commitment and you will usually find that they have some great ideas too.

Select a solution that can easily adapt to your methodology. GRC solutions should be enablers that support your risk management practices. Technology should not force your users to change the way they do business.

Deploy a solution that is intuitive and easy to use. Most business professionals are technically competent but they are not “power users.” Make sure that your risk management solution is easy to learn and use. In addition, most business people will be infrequent users, so pay particular attention to how quickly and easily users can accomplish their specific tasks.

Focus on Usability first, User Experience second. Usability focuses on the factors that affect the user’s ability to understand and do things in the application. User experience focuses on providing an engaging, fun, pleasant, empowering and inspired experience. Usability is critically important for your business users and will greatly determine the extent to which they adopt your risk management solution. User Experience is nice, but save it for your company’s web site.

Providing a risk management solution that is easily adopted by your business users will be a key enabler for achieving actionable risk management: where risk and compliance activities are an integral part of everyday business operations.

Is your current risk application enhancing your risk management practices or getting in the way? Let us know about your experiences with deploying risk management applications and what has helped or hindered their adoption.

If nothing else, the financial crisis of 2008 has driven home the need to improve reporting to the organization regarding risk posture and exposure. As we look to 2010 and beyond, risk and compliance processes will no doubt evolve to meet changing business and regulatory requirements. Coming in at #8 on the 2010 GRC Wish List is “Strong Reporting with Easy-to-Use Formatting.” While the value of strong reporting is clear, a few challenges remain:

Cross-domain Reporting – With the large number of risk and compliance initiatives underway at organizations today, users are struggling to deliver comprehensive enterprise risk management. Users need a way to understand and manage their risk exposure across the numerous risk and compliance domains through enterprise risk assessments and integrated reporting. GRC solutions that are developed independently in silos, produce application specific reports that only reference data local to that application and provide an incomplete picture of enterprise risk exposure.

Multiple Reporting Regimes – Companies are struggling to meet the needs of an increasing number of reporting regimes. For instance, a financial services company may have adopted the CoBIT framework for IT management, adhere to FFIEC best practices guidelines and may be looking to establish an Anti-Money Laundering (AML) program. The key challenge facing these organizations is in establishing a risk framework that integrates multiple reporting regimes and provides visibility into the state of key risks across the enterprise.

Linking Oversight with Operating Environment – Effective “governance” implies effective oversight and reporting. To deliver effective oversight, GRC professionals need to be able to link their oversight and reporting to their operating environment by drilling-down to view control status at the asset level.

Profile-based Reporting – Risk management professionals, compliance professionals and auditors frequently have access to highly confidential and sensitive information. Oftentimes, that information needs to be segmented from other stakeholders in different roles, entities, geographies or functional risk areas. GRC solutions need to provide a highly configurable, flexible and secure access control and security model to ensure that risk data is seen only by the right people, in the right context, at the right time.

It seems we can’t pick up a newspaper today without seeing another story on top management compensation, and its role in the near financial system meltdown. As Congress and the Administration wrestle with regulatory reform, fingers continue to point at CEOs and other senior executives who reaped huge rewards for taking what are deemed to be outsized risks – risks that brought some of their companies, and indeed the financial system, to the brink of disaster. The SEC’s new disclosure rules will shed more of a spotlight on executive pay and how companies and boards deal with corporate risk, and anger over “outsized” pay is boiling over in the form of regulatory reform and additional proposed taxes on financial services industry participants.

Certainly executive compensation should recognize the degree of risk inherent in performance. No one wants to see a CEO “bet the ranch” in a “heads the CEO wins, and tails shareholders and the taxpayers lose” scenario. So, yes, getting risk-reward back in balance at the top management level makes eminent sense, and already is under way.

With that said, however, we shouldn’t fall into a trap of thinking that dealing with the compensation issues can by itself address corporate risk. Those of you with leadership roles in risk management, compliance, auditing, and related areas in your organizations know full well that dealing with risk at the CEO level will not by itself transform how risk is managed throughout the organization. One can argue that CEO compensation has played only a limited role in causing financial institutions to take on such massive risks in the first place. Chief executives already have solid motivation to ensure the companies they lead achieve long term success, and certainly simply keeping their prestigious and lucrative job and reputation in tact are strong motivators. CEOs I’ve dealt with put the success of the company at the same if not higher level than acquiring personal more riches. Make no mistake, many do want to enhance their wealth, and some continue to keep score with peers, but putting their own personal objectives ahead of the company’s and its shareholders is not typical.

So, I hope and trust that neither the powers inside the Beltway nor corporate leaders and boards will think risk management is primarily about managing CEO’s motivations. The focus needs to be on risk management processes throughout the organization, linking risks with corporate objectives and initiatives, and managing risk to best achieve corporate goals.

“Better Collaboration with the Business” was in the #2 spot on our 2010 GRC Wish List and it talked about the need to embed risk management within the business by incorporating risk management practices into everyday business processes. Business line managers should be making risk-based decisions. But this requires them to be able to use internal sources of risk data from across the enterprise and, when available, external risk data.

Another major area of concern is how the constantly increasing and changing array of rules, regulations and industry standards is affecting existing processes and systems. In many cases, the technology solutions that support these processes are under extreme pressure and cannot adapt to satisfy the business needs. Meeting these regulations and standards requires gathering and storing risk data over a significant time frame. It also requires integrated risk reporting of the data for easy consumption by internal and external constituencies such as senior management and regulators.

Our #3 item, “Robust Organizational Risk Culture” talked about how technology can play a role in helping to create a robust risk culture. But it is clear that technology is an enabler and not a complete solution. Businesses must evolve their risk management methodologies to meet these changing requirements. The goal is to establish an effective enterprise-wide risk management program that is flexible to respond to change and it is tailored to an organization’s corporate strategies, business activities and external environment.

Many organizations that I work with are examining their risk management practices and are expecting to make significant changes in 2010. Investment in risk management systems, processes and technologies will be an essential step for many organizations. What is your organization doing to improve the effectiveness or its risk management processes and systems this coming year?

Several months ago I had the pleasure of presenting with Richard Brilliant, Carnival’s vice president and chief audit executive of Audit Services in a Compliance Week webinar titled: “Leveraging the Power of Integrated Risk Management”. Richard began his presentation by asking a very telling question: “Who specifically is best suited to manage risk in your organization?” The answer of course was “Everyone”. After all, enterprise risk management is about managing risks across multiple risk and compliance disciplines as well as across multiple business units. In other words, ERM requires everyone’s participation to be truly effective and risk awareness and expertise must be instilled at all levels of the organization.

Coming in at #4 on the 2010 GCR Wish List, Risk Expertise is something that needs to start at the top. Risk expertise is a skill set that boards are looking for in their executive teams and is something that could potentially find its way into regulatory reform this year.

Sponsored by the UK government and published this past fall, the Walker Review recommends overhauling the boards of banks and other big financial institutions by requiring the Chief Risk Officer to have a reporting line to the risk committee, in addition to strengthening the role of non-executives and giving them new responsibilities to monitor risk and remuneration.

Some of the specific recommendations in the Walker Review include:

Banks should have board level risk committees chaired by non-executive

Risk committees to scrutinise and if necessary block big transactions

Chief Risk Officer to have reporting line to risk committee

Chief Risk Officer can only be sacked with agreement of board

It is clear that risk management will be under increasing scrutiny in the UK (and across the globe), and that risk expertise will be increasingly important in 2010.

It’s become clear that a risk-aware corporate culture is of critical importance to an organization. In the past year alone, we’ve seen plenty of examples in the news where a lack of risk-aware corporate culture has hurt companies, some beyond repair. Coming in at #3 on the 2010 GRC Wish List is a “Robust Organizational Risk Culture”.

While it is critical to be thoughtful, disciplined, and strategic in your approach, it’s also important to understand how technology can promote a risk-aware culture and become a tool to embed effective integrated compliance and risk management practices within an organization. It can act as a training and awareness tool, a marketing tool, and can help build accountability and push policies and processes into daily activities.

Does your organizational culture reinforce your strategy and risk appetite or undermine it? Pricewaterhouse Coopers has developed a “Risk Culture Self Assessment” that will help you understand where your organization stands in terms of how it manages risk. They also published a five-step guide titled, “Building a risk-aware culture for success.”

Risk management should be viewed as a competency that is embedded in the organization. Coming in at #2 in the 2010 GRC Wish List however, “Better Collaboration with the Business” reflects the lack of understanding and poor communication that exists today between the risk function and business managers.

Surveys have shown that only 40 percent of respondents find the importance of risk management to be widely understood throughout the company, suggesting that more needs to be done to embed risk culture and risk thinking more deeply in the institution.

Incorporating risk management into everyday business processes will enable executives to focus on those elements of their risk activity that have the greatest positive impact on the organization.

Business managers can spend less time on assessments and more time on proactively managing risk and processes to meet company objectives.

Providing enhanced visibility into the risk landscape, integrated risk management empowers business managers to make smarter decisions that maximize value, reduce costs and balance risk with returns. When embedded into everyday processes at all levels of the organization, risk management will drive business performance.

If you’re in the financial services sector, any GRC manager’s wish list includes regulatory clarity for 2010. In the depths of the financial crisis, the Obama administration promised financial services regulatory reform. President Obama himself remarked during his inaugural address: “But this crisis has reminded us that without a watchful eye, the market can spin out of control.” But what has happened since then?

A credit card bill was passed, but meaningful overhaul is still buried in the legislative process, and there are still major differences between the House and Senate versions of the critical elements of reg reform, including the systemic risk regulator, consumer protection and mortgage reform. Last week, Senator Dodd, who chairs the powerful Senate Committee on Banking, Housing and Urban affairs, announced that he wouldn’t be seeking reelection. Given the narrow margin in the Senate and his likely desire to get something done before he retires, we’re likely to see more compromise before anything gets passed.

Further, the political climate in Washington has shifted over the last year, and financial services reg reform is not the top priority for the administration–health care is (and now terrorism). In the end, as the political momentum behind reg reform fragments into competing alternatives, GRC managers are going to have to accept this uncertainty and the current regulatory structure, which may endure longer than expected. Of course, this in and of itself offers some clarity, which explains why we’re continuing to see strong growth in the GRC platform market, as companies move forward with their plans for integrated risk management, despite the uncertainty.

We recently had an interesting discussion on what GRC professionals are hoping to achieve in 2010. We had so much fun we decided to publish a 2010 wish list for risk and compliance managers. The list is based on conversations we had with our customers, prospects and industry experts over the past several months.

Why are there 10? Well, as George Carlin mused in his skit about Moses and The Ten Commandments, “because 10 sounds official. Ten sounds important! Ten is the basis for the decimal system, it’s a decade, it’s a psychologically satisfying number (the top ten, the ten most wanted, the ten best dressed). So having ten commandments was really a marketing decision!”

All kidding aside, we’d love to get your reaction to our list and see if we left anything out. We’ll drill down into more detail for each one over the next ten days! Here’s the list:

For those of you on boards of directors or supporting them, you’ll want to focus on new governance-related regulations recently issued by the SEC. Originally proposed for comment last summer, these rules take effect February 28, 2010, in time for many companies’ upcoming 10-K and proxy season.

Risk. A particular focus of the new requirements is the board’s role in overseeing risk, focusing on such matters as how the board administers its oversight function – for instance whether through the entire board, a separate risk committee, or the audit committee. Also, discussion of the company’s compensation policies or practices as they relate to risk management and risk-taking incentives that can affect the company’s risk and risk management. The release suggests also that companies may want to disclose how the board receives information from individuals with day-to-day management responsibilities.

Director Qualifications and Experience. Existing disclosure requirements are expanded to include, for each director and nominee, information leading to the board’s conclusion that the person should serve as a director of the company, focusing on such matters as the individual’s experience, qualifications, attributes, and skills.

Compensation. The rules call for revised reporting of stock and option awards in the summary compensation table and director compensation table, and disclosure of certain potential conflicts of interest of compensation consultants. Rather than reporting the dollar amount recognized for financial statement purposes for the fiscal year, the rules require reporting the aggregate grant date fair value of stock and option awards granted in the fiscal year, with special instructions for awards subject to performance conditions.

Board Leadership Structure. Disclosure is required about the board’s leadership structure, including why it is deemed best for the company and why it was decided to combine or separate the CEO and board chair positions. Also, where they’re combined, disclosure about whether a lead independent director is in place and its leadership role.

Other required disclosures relate to such matters as: Other board seats held by directors and nominees; how diversity is considered in identifying director candidates; and legal actions involving a company’s executive officers, directors, and director nominees.

There’s a lot here, and boards, corporate secretaries, governance officers and others who support the board’s activities will need to understand the new rules and effect compliance. For certain matters, such as requirements regarding risk, we can expect some companies to reconsider their risk management activities to ensure their substance is in line with desired disclosures.

Information infrastructure provider EMC yesterday announced that it will buy IT GRC vendor Archer. According to the press release, EMC bought Archer for it’s “technologies for information risk management and information security” and will operate as part of the company’s RSA security division. Archer will become part of the EMC information management stack, integrated tightly with EMC products, like their widely renowned storage solutions.

Archer’s solutions address the challenges faced by IT managers in the areas of IT compliance and policy management. Some of our customers are using Archer on a departmental basis within IT to manage things like vulnerability assessment reporting, configuration management and PCI compliance. Archer, for instance, helps companies prepare for IT audits and compliance reporting.

These same customers see OpenPages as a way to understand and manage their risk exposure across the enterprise through enterprise risk assessments and integrated reporting, whether by process, program or function. In this way, OpenPages helps ensure that companies can achieve their business-level objectives, managed by the Chief Risk Officer and Business Unit heads. They use our ITG solution to integrate IT risk with their overall enterprise risk posture. So, for instance, OpenPages helps companies address the IT, compliance and operational risk issues like the ones faced by MF Global (not an OpenPages customer), who a couple weeks ago was fined $10 million in connection with a rogue trading loss of $141 million.

Both IT GRC and Enterprise GRC solutions are critical components of an effective Enterprise Risk Management program; where you start will depend upon your company’s priorities.

Fed Chairman Ben Bernanke went on the offensive yesterday at the annual meeting of the American Economic Association, arguing that lax regulatory oversight, not loose monetary policy, led to the housing bubble and subsequent financial crisis. You can read his remarks here.

After working behind the scenes for most of the fall, lobbying legislators one-on-one, Bernanke took a very public position yesterday, blaming the rise in housing prices on the alternative types of variable rate mortgages which priced in more demand than that which could be expected from prevailing interest rates.

Bernanke argued that “stronger regulation and supervision aimed at problems with underwriting practices and lenders’ risk management would have been a more effective and surgical approach to constraining the housing bubble than a general increase in interest rates.”

Further, he said that “the lesson I take from this experience is not that financial regulation and supervision are ineffective for controlling emerging risks, but that their execution must be better and smarter.”

To some extent he’s trying to deflect the spotlight onto other regulatory agencies chartered with overseeing the factory for different kinds of mortgages. But Bernanke can’t have it both ways. He’s argued in the past that the Fed has a role in consumer financial protection and has lobbied against the CFPA, so, if it is the case that the Fed’s mandate extends to the financial consumer, why did he let these mortgages with low monthly payments proliferate? While he was convincing that there were other factors beyond monetary policy that led to the housing bubble, he was less clear on what kind of regulatory structure would have prevented the bubble and how we should move forward on consumer financial protection. At this point, my bet is that the CFPA has enough momentum to pass with financial reg reform.

Tags

A tag is a keyword you assign to make a blog or blog content easier to find. Click a tag to find content that has been assigned that keyword. Click another tag to refine the search further. Click Find a tag to search for a tag that is not displayed in the collection.